git: 1af332a7d8f8 - main - rtsold: Fix validation of RDNSS options

Sun, 21 Mar 2021 11:20:00 -0700 

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c

commit 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c
Author:     Mark Johnston <ma...@freebsd.org>
AuthorDate: 2021-03-21 18:18:10 +0000
Commit:     Mark Johnston <ma...@freebsd.org>
CommitDate: 2021-03-21 18:19:42 +0000

    rtsold: Fix validation of RDNSS options
    
    The header specifies the size of the option in multiples of eight bytes.
    The option consists of an eight-byte header followed by one or more IPv6
    addresses, so the option is invalid if the size is not equal to 1+2n for
    some n>0.  Check this.
    
    The bug can cause random stack data to be formatted as an IPv6 address
    and passed to resolvconf(8), but a host able to trigger the bug may also
    specify arbitrary addresses this way.
    
    Reported by:    Q C <cq674350...@gmail.com>
    Sponsored by:   The FreeBSD Foundation
    MFC after:      3 days
---
 usr.sbin/rtsold/rtsol.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index 30027fc65ac9..76756bfd8393 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -363,13 +363,19 @@ rtsol_input(int sock)
                case ND_OPT_RDNSS:
                        rdnss = (struct nd_opt_rdnss *)raoptp;
 
-                       /* Optlen sanity check (Section 5.3.1 in RFC 6106) */
-                       if (rdnss->nd_opt_rdnss_len < 3) {
+                       /*
+                        * The option header is 8 bytes long and each address
+                        * occupies 16 bytes, so the option length must be
+                        * greater than or equal to 24 bytes and an odd multiple
+                        * of 8 bytes.  See section 5.1 in RFC 6106.
+                        */
+                       if (rdnss->nd_opt_rdnss_len < 3 ||
+                           rdnss->nd_opt_rdnss_len % 2 == 0) {
                                warnmsg(LOG_INFO, __func__,
-                                       "too short RDNSS option"
-                                       "in RA from %s was ignored.",
-                                       inet_ntop(AF_INET6, &from.sin6_addr,
-                                           ntopbuf, sizeof(ntopbuf)));
+                                   "too short RDNSS option in RA from %s "
+                                   "was ignored.",
+                               inet_ntop(AF_INET6, &from.sin6_addr, ntopbuf,
+                                   sizeof(ntopbuf)));
                                break;
                        }
 
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"

Reply via email to